Internal Auditor Independence

Internal Audit Independence

July 29, 2011

I run into more than a few internal auditors who struggle with independence. The people who pay their salaries and keep their team funded and staffed don’t understand what auditors do and therefore set the internal audit shops up for audit failure.

Sometimes I wonder if executives would actually prefer an ineffective, impotent audit function. If internal audit can actually say what is so, these executives might actually have to change their behavior or alter their choices –and who wants that kind of scrutiny and feedback?

Executives and managers commonly put up two hurdles to effective audit shops:

Asking internal auditors to report to those who they audit

Asking internal auditors to take part in managing the entity

One audit shop I evaluated in the 90’s was required by the executives to do both. I reviewed a retirement system’s compliance with the Texas Internal Audit Act a year after the Act was passed. The internal auditor of this retirement system – we’ll call her Bonnie - reported to the executive director of the retirement system –not to the board. He directed Bonnie’s every move and kept her busy doing special projects.

Because Bonnie wanted to keep her job, she did as he instructed. She came up with an “audit plan” every year – but never completed any of the audits!

This retirement system had $24 billion in investments at the time and employed ONE ineffective internal auditor. The Texas law requires that the retirement system report to the governing board, employ a qualified director, and follow the red book and yellow book simultaneously.

Bonnie lasted in her role as internal auditor for only a few more years because she was/did none of those things. The retirement system eventually changed its ways only because they were forced to do so by state law.

Bonnie did keep her job – but her position was retitled to "executive in charge of special projects"’ and a real internal audit shop was founded. Now the retirement system employs a more appropriate number of auditors - seven.

Independence means you report to those in charge of governance

What are auditors good for? Their objective, independent take on a subject matter. The governing body is supposed to be able to rely on them to uncover and report on risks to the organization. Then the board can make an informed decision on what to do about the risks. The governing board should be able to ask the internal auditor give them a true picture of what is going on inside their entity.

But if the internal auditor is afraid to tell the truth because they are afraid of losing their jobs, what good are they?

How do you keep an internal auditor from being afraid of losing their jobs? You make sure they are structurally independent. A picture is worth a thousand words:

LIKE THIS:

NOT LIKE THIS:

If the internal auditor has to report to the people it is auditing – then these powerful people might squelch the auditors results. In the first diagram, the internal auditor (renamed the Chief Audit Executive or CAE by the Institute of Internal Auditors) reports directly to the board and doesn’t fear reprimand if they say what is so.

This is just one of the many ways an internal auditor can be shielded from political ramifications when they tell the truth. For other ideas, you can check out chapter 3 of the Yellow Book (the GAO’s Government Auditing Standards).

Here is an excerpt from the GAO’s Government Auditing Standards that discusses internal auditor independence:

Organizational Independence for Internal Audit Functions:

3.16 Certain federal, state, or local government entities employ auditors to work for management of the audited entities. These auditors may be subject to administrative direction from persons involved in the entity management process. Such audit organizations are internal audit functions and are encouraged to use the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing in conjunction with GAGAS. Under GAGAS, a government internal audit function can be presumed to be free from organizational impairments to independence for reporting internally if the head of the audit organization meets all of the following criteria:

a. is accountable to the head or deputy head of the government entity or to those charged with governance;

b. reports the audit results both to the head or deputy head of the government entity and to those charged with governance;

c. is located organizationally outside the staff or line-management function of the unit under audit;

d. has access to those charged with governance; and:

e. is sufficiently removed from political pressures to conduct audits and report findings, opinions, and conclusions objectively without fear of political reprisal.

3.17 The internal audit organization should report regularly to those charged with governance.

Independence means you don’t help create the subject matter of the audit

Do you have kids/dogs/cats? Aren’t they brilliant little geniuses? A gift to the world and everyone who encounters them? Look, I’ve seen your kids/dog/cat, and you have a serious problem with objectivity!

You see, when you make the baby or adopt the pet, you have a hard time calling the baby ugly or badly behaved. This is why internal auditors have to be careful to stay clear of helping management create the subject matter they will later be asked to tell the truth about.

For instance, when the Obama Administration sent billions to the states in order to help stimulate the economy, every state’s leadership was overwhelmed. They knew they had to properly account for the monies and provide performance measures for the programs lickity split! And some of them asked for help setting up proper systems from their state auditors. Wise state auditors (who act as internal auditors for state functions) told the state agencies that they were on their own. No, the state auditor wouldn’t help create policies, procedures, and tracking systems because later they needed to be able to come in and say whether these management structures were working. They needed to be able to call the baby ugly and not feel any personal embarrassment. Who wants to admit that their kid talks back to adults or that their dog steals food off the kitchen counter? No, it isn’t adorable.

The Institute of Internal Auditors and the Government Accountability Office feel differently about this subject. The IIA acknowledges that internal auditors provide two main services – assurance services (telling the truth about the subject matter) and consulting services (making a baby).

Assurance services look like this:

Consulting services look like this:

Internal auditors do know lots of stuff about a broad range of subjects and are very helpful and process oriented. They are a great addition to a management team. But, when they are part of management, they lose their objectivity about the subject matter.

A GAO employee (the GAO authors the yellow book) once told me that internal audit is an oxymoron. No, he wasn’t calling internal auditors morons! He was saying that the terms don’t jive. Internal means you lose your objectivity and can’t audit – in his mind. That because internal auditors are part of management, so giving an completely objective view of the subject matter is impossible.

The GAO has a different term for what the IIA calls consulting services – they call them non-audit services and cautions auditors about taking non-audit services on:

3.20 Audit organizations at times may perform other professional services (nonaudit services) that are not performed in accordance with GAGAS. Audit organizations that provide nonaudit services must evaluate whether providing the services creates an independence impairment either in fact or appearance with respect to entities they audit.[Footnote 27] Based on the facts and circumstances, professional judgment is used in determining whether a nonaudit service would impair an audit organization's independence with respect to entities it audits.

But in case you can’t seem to help yourself in performing non-audit/consulting services, the GAO provides a little more guidance:

3.22 The following two overarching principles apply to auditor independence when assessing the impact of performing a nonaudit service for an audited program or entity: (1) audit organizations must not provide nonaudit services that involve performing management functions or making management decisions and (2) audit organizations must not audit their own work or provide nonaudit services in situations in which the nonaudit services are significant or material to the subject matter of the audits.

3.23 In considering whether audits performed by the audit organization could be significantly or materially affected by the nonaudit service, audit organizations should evaluate (1) ongoing audits; (2) planned audits; (3) requirements and commitments for providing audits, which includes laws, regulations, rules, contracts, and other agreements; and (4) policies placing responsibilities on the audit organization for providing audit services.

3.24 If requested to perform nonaudit services that would impair the audit organization's ability to meet either or both of the overarching independence principles for certain types of audit work, the audit organization should inform the requestor and the audited entity that performing the nonaudit service would impair the auditors' independence with regard to subsequent audit or attestation engagements.

Why am I telling you these things? Because it is time for some internal auditors to have a heart-to-heart with the leaders in their organizations.

Organization leaders shouldn’t push the internal auditor to do work that will ruin their independence and should shield them from political backlash when they tell the truth. That way, the resources that are dedicated to internal auditing will yield the greatest results.